William Gill
90ac4b169c
- ids: TestIDsAreTimeOrdered asserted strict lexicographic ordering of back-to-back UUIDv7s, but the sub-ms tail is random and not required to be monotonic. Sleep between samples so each ID lands in a distinct millisecond — the property that actually gives Postgres index locality on (org_id, id desc). - go.mod/go.sum: run go mod tidy. keyfunc/v3, prometheus/client_golang and testcontainers-go/modules/postgres are imported directly and should not be marked // indirect; also drops stale sum entries. - gofmt -w across 12 files flagged by the lint job. - security.yml: pin govulncheck to v1.2.0. @latest triggers a proxy lookup every run, which is the step that hung for 16m on the Gitea runner. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
29 lines
743 B
YAML
29 lines
743 B
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
schedule:
|
|
# Monday 06:00 UTC — weekly vuln sweep so new CVEs surface without a push.
|
|
- cron: '0 6 * * 1'
|
|
|
|
jobs:
|
|
govulncheck:
|
|
name: Vulnerability Check
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-go@v5
|
|
with:
|
|
go-version: '1.26'
|
|
|
|
- name: Install govulncheck
|
|
# Pinned rather than @latest: @latest forces a proxy lookup every
|
|
# run, which is the step that hung for 16m on the Gitea runner.
|
|
# Bump this line when a new govulncheck release is wanted.
|
|
run: go install golang.org/x/vuln/cmd/govulncheck@v1.2.0
|
|
|
|
- name: Run govulncheck
|
|
run: govulncheck ./...
|